Kernel params

SELinux Booleans

getsebool -a – Get all SELinux booleans and their valuessemanage boolean --list – List all SELinux booleans, their current and default values and short description.setsebool httpd_enable_cgi on – Enable a SELinux boolean (temporary until reboot)setsebool -P httpd_enable_cgi on – Enable a SELinux boolean (persistently)

Relabeling whole file system

Troubleshooting

Log files

/var/log/audit/audit.log – Used by default if auditd daemon is running/var/log/messages – Used when auditd is not running or when setroubleshoot-server is installed.Note: SELinux messages have “AVC” prefix (Access Vector Cache) – grep "AVC" LOG_FILE

Examples

Update policy so Apache web server can serve data from /webpages dir

Update policy so Apache web server can bind to port 1234

$ semanage port -a -t http_port_t -p tcp 1234

Tips

Don’t forget that currently running and permanent SELinux configuration may be different and system may behave differently after reboot if you forget to make configuration permanent (setenforce vs /etc/selinux/config, setsebool vs setsebool -P, etc.).

If a service cannot bind a port, check SELinux label of the port and logs for denial messages.

When you want to make SELinux permissive for a specified service or process only (because of debugging, testing, etc.), take a look at “Permissive domains” (man semanage-permissive).